CESA-2008-003 - rev 1

Heap-based buffer overflow in libxslt

Programs affected: libxslt-1.1.24 and some earlier versions.
Severity: Execution of evil stylesheets may result in arbitrary code
execution.

Similarly to my Ghostscript note, XSLT is a turing-complete language. Executing
untrusted programs in said languages remains a challenge. The weak points on
the attack surface are often the built-in functions, which do things like take
integers as arguments...

This advisory primarily notes a heap-based buffer overflow in the
crypto:rc4_encrypt function in crypto.c. The issue is
over-trust of the length of an incoming key string: